CN114218548A - Identity verification certificate generation method, authentication method, device, equipment and medium - Google Patents

Identity verification certificate generation method, authentication method, device, equipment and medium Download PDF

Info

Publication number
CN114218548A
CN114218548A CN202111528197.2A CN202111528197A CN114218548A CN 114218548 A CN114218548 A CN 114218548A CN 202111528197 A CN202111528197 A CN 202111528197A CN 114218548 A CN114218548 A CN 114218548A
Authority
CN
China
Prior art keywords
account
certificate
public key
authentication
identity
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111528197.2A
Other languages
Chinese (zh)
Other versions
CN114218548B (en
Inventor
安晓江
漆骏锋
胡伯良
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Haitai Fangyuan High Technology Co Ltd
Original Assignee
Beijing Haitai Fangyuan High Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Haitai Fangyuan High Technology Co Ltd filed Critical Beijing Haitai Fangyuan High Technology Co Ltd
Priority to CN202111528197.2A priority Critical patent/CN114218548B/en
Publication of CN114218548A publication Critical patent/CN114218548A/en
Application granted granted Critical
Publication of CN114218548B publication Critical patent/CN114218548B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2137Time limited access, e.g. to a computer or data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Databases & Information Systems (AREA)
  • Automation & Control Theory (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

An identity verification certificate generation method, an identity authentication device, equipment and a medium relate to the technical field of data security, and solve the problem that different terminals of the same account call a plurality of digital certificates in the signature verification process, and the method comprises the following steps: receiving a signature certificate application message sent by a terminal where an account is located; generating a digital certificate corresponding to the terminal where the account is located according to a signature certificate application message sent by the terminal where the account is located, and storing the digital certificate; if the account applies for the signature certificate for the first time, generating an account identity authentication certificate according to the digital certificate; and if the account does not apply for the signature certificate for the first time, updating the stored account identity authentication certificate according to the public key of the digital certificate generated at the last time. In the embodiment of the invention, when the identity authentication is carried out, the server does not need to call a plurality of digital certificates of the same account one by one for one signature verification, and only needs to call one file of the identity authentication certificate and use the public key field in the identity authentication certificate for signature verification.

Description

Identity verification certificate generation method, authentication method, device, equipment and medium
Technical Field
The present invention relates to the field of data security technologies, and in particular, to a method for generating an authentication certificate, a method, an apparatus, a device, and a medium for authenticating an identity.
Background
As society develops, the importance of data security is gradually increasing, and in order to ensure the security of data, a receiver usually adopts a digital signature technology to authenticate the identity of a sender.
One of the digital signature technical schemes is that a sender generates a pair of a public key and a private key, the private key is only known by the sender, the public key is public, the sender encrypts specified information sent by a receiver by using the private key of the sender, the encrypted information is transmitted to the receiver, the receiver decrypts the encrypted information by using the public key of the sender, if the decrypted information is consistent with the specified information, the legality of a signature can be confirmed, and the private key of the sender is only known by the sender, so that the private key can be used for identifying the identity of the sender, and the process can also be called a signature verification process.
In the practical application process, the same account of the same user often has a plurality of different user terminals, such as a PC terminal, an android terminal, and the like, and the identity of the account needs to be verified in the process of accessing the server in consideration of security, and different user terminals need to apply a digital certificate to the server so as to verify the identity, but the prior art scheme is as follows: the server can generate corresponding different digital certificates respectively for different terminals of the same account, the digital certificates contain public keys, the server needs to analyze the public keys in each digital certificate of the same account respectively and verify the public keys in the digital certificates in the signature verification process, the time of the signature verification process is relatively long in the mode, the same account has different terminal phenomena, and the signature verification process of the server is relatively long when the number of groups is large.
Disclosure of Invention
The application aims to provide an identity authentication certificate generation method, an identity authentication device, identity authentication equipment and an identity authentication medium.
In a first aspect, an embodiment of the present invention provides a method for generating an authentication certificate, which is applied to a certificate authority CA server, where the method includes:
receiving a signature certificate application message sent by a terminal where an account is located, wherein the signature certificate application message at least comprises identity identification information and a public key of the account, the identity identification information is used for identifying the account, and the public key is generated by the terminal where the account is located;
generating a digital certificate corresponding to the terminal where the account is located according to a signature certificate application message sent by the terminal where the account is located, wherein the digital certificate at least comprises a certificate validity period and the public key, and storing the digital certificate;
if the account applies for a signature certificate for the first time, generating the account identity authentication certificate according to the digital certificate; if the account does not apply for the signature certificate for the first time, updating the stored account identity authentication certificate according to the public key of the digital certificate generated for the last time, wherein the account identity authentication certificate comprises all public keys of the account at different terminals, and re-signing the identity authentication certificate.
According to the technical scheme provided by the embodiment of the invention, when the terminal where the account is located applies for the signature certificate to the server, the server generates the identity authentication certificate besides the corresponding digital certificate, the public key field of the identity authentication certificate contains all the public key information of different terminals of the same account, and when the identity authentication is carried out, the server does not need to call a plurality of digital certificate files of the same account one by one for signature verification, and only needs to call one file of the identity authentication certificate and use the public key field in the identity authentication certificate for signature verification, so that the signature verification speed can be increased, the signature verification time is relatively shortened, and the signature verification efficiency is improved.
In some embodiments, the generating the account authentication certificate according to the digital certificate specifically includes: the account authentication certificate is the same as the digital certificate.
The embodiment of the invention provides a technical scheme for how to generate the account identity authentication certificate, when an account applies for a digital certificate to a server for the first time, the corresponding account identity authentication certificate is generated, and the generated account identity authentication certificate and the generated account digital certificate are two mutually independent files, which do not interfere with each other in the use process and do not influence the encryption and decryption process of a transmission event.
In some embodiments, the updating the stored account authentication certificate according to the latest generated public key of the digital certificate specifically includes: and extracting the public key of the digital certificate generated last time, and adding the public key to the public key field of the stored account authentication certificate.
In the embodiment of the invention, when different terminals where the account is located apply for the certificate to the server, the public key information in the public key field of the account authentication certificate comprises the public keys of all the terminals of the current account by adding the public key of the newly applied terminal to the public key field of the account authentication certificate, so that a new technical scheme is provided for how the public key information in the public key field of the account authentication certificate comprises the public keys of all the terminals of the current account.
In some embodiments, after updating the saved account authentication certificate and before re-signing the authentication certificate, the method further comprises updating the certificate validity period of the account authentication certificate.
According to the embodiment of the invention, the certificate validity period of the account identity authentication certificate is limited and updated, so that the identity authentication certificate can be normally used within the validity period range, and the safety of the account identity authentication certificate is improved. In the using process, the validity period of the authentication certificate needs to be verified, the signature verification operation is carried out only if the current time is within the validity period range of the authentication certificate, the signature verification cannot be carried out if the current time is not within the validity period range of the authentication certificate, the security of the account authentication certificate is improved, and the certificate validity period can be updated by any change of the account authentication certificate, so that the certificate validity period is in the latest state.
In some embodiments, the updating the certificate validity period of the account authentication certificate specifically includes: changing the certificate validity period of the account authentication certificate to the certificate validity period of the digital certificate generated last time; or extracting and comparing the validity periods of all the stored digital certificates of the account, confirming that the validity period of the Mth digital certificate is the shortest, and changing the certificate validity period of the account identity authentication certificate into the certificate validity period of the Mth digital certificate; or extracting and comparing the validity periods of all the stored digital certificates of the account, confirming that the validity period of the Mth digital certificate is longest, and changing the certificate validity period of the account identity authentication certificate into the certificate validity period of the Mth digital certificate; wherein M is a positive integer greater than or equal to 1.
The embodiment of the invention provides various ways for updating the certificate validity period of the account authentication certificate, can change the certificate validity period into the certificate validity period of the digital certificate generated at the last time, and can also compare the validity periods of all the digital certificates of the account to determine the shortest validity period or determine the longest validity period and replace the longest validity period with the corresponding validity period so as to ensure that the certificate validity period of the account authentication certificate is within a reasonable time range.
In some embodiments, extracting and comparing the validity periods of all the stored digital certificates of the account, and confirming that the validity period of the mth digital certificate is shortest, specifically including: extracting the certificate start date and the certificate end date in the certificate validity field in all the stored digital certificates of the account; determining the shortest time according to the time length between the starting date and the ending date or determining the shortest time according to the date of the certificate ending date which is the latest of the current date; and confirming the digital certificate determined as the shortest time as the Mth digital certificate.
In some embodiments, extracting and comparing the validity periods of all the stored digital certificates of the account, and determining that the mth digital certificate has the longest validity period specifically includes: extracting the certificate start date and the certificate end date in the certificate validity field in all the stored digital certificates of the account; determining a maximum time according to a length of time between the start date and the end date, or determining a maximum time according to a date at which the certificate end date is farthest from a current date; and confirming the digital certificate which is determined to be the longest as the Mth digital certificate.
The technical scheme of the invention provides a new technical scheme for determining how to determine that the validity period of the Mth digital certificate is shortest or the validity period of the Mth digital certificate is longest.
In some embodiments, further comprising: and regularly judging the certificate validity period of the digital certificate, and if the current date is determined not to be within the certificate validity period range of the digital certificate, updating the account authentication certificate according to the account identity identification information of the digital certificate, so that all public keys of the account authentication certificate on the current date are within the corresponding certificate validity period range of the digital certificate.
According to the technical scheme, whether the corresponding public key is available is judged by regularly judging the validity of the digital certificate, if the digital certificate is valid, the authentication certificate corresponding to the account is updated, so that the public key in the authentication certificate of the account is always in the latest state, the problem that the public key of the authentication certificate of the account corresponding to the failure of the digital certificate can be used is solved, and the safety of the authentication certificate is improved.
In some embodiments, the updating the account authentication certificate according to the account identification information of the digital certificate specifically includes: determining the account identity authentication certificate according to the account identity identification information of the digital certificate; searching a public key which is the same as the digital certificate in the account authentication certificate; and deleting the public key which is the same as the digital certificate in the account authentication certificate.
The technical scheme of the invention provides a new technical scheme for updating the account authentication certificate according to the account identification information of the digital certificate, the account authentication certificate is determined according to the account identification information of the digital certificate, the public key same as the digital certificate is determined, and the corresponding public key is deleted, so that the account authentication certificate is in the latest state.
In a second aspect, an embodiment of the present invention provides an identity authentication method, which is applied to a certificate authority CA server, and the method includes: receiving a request message sent by an account terminal, wherein the request message is used for applying for identity authentication, generating random information and sending the random information to the account terminal; receiving an identity authentication request message sent by an account terminal, wherein the identity authentication request message comprises identity identification information and signature value information of the account, the identity identification information is used for identifying the account, and the signature value information is generated by a private key of the account terminal for signing the random information; acquiring an authentication certificate of the account according to the identity identification information of the account, and acquiring public key information in a public key field of the authentication certificate of the account, wherein the public key information comprises all public keys of the account; and verifying the signature value information one by using public keys in the public key information, if the verification result of one of the public keys is the same as the random information, passing the identity authentication, and if all the verification results are different from the random information, failing the identity authentication, and sending the authentication result to the account terminal.
According to the embodiment of the invention, in the process of verifying the identity, the account identity certificate is used for verifying, and the account identity certificate contains all public key information of the account, so that the signature verification process can be completed only by calling the account identity certificate, therefore, a plurality of digital certificates of the same account do not need to be called one by one for signature verification, the signature verification speed of the server is increased, the signature verification time is relatively shortened, and the signature verification efficiency is improved.
In a third aspect, an embodiment of the present invention provides an apparatus for generating an authentication certificate, where the apparatus includes:
the system comprises a receiving module, a sending module and a sending module, wherein the receiving module is used for receiving a signature certificate application message sent by a terminal where an account is located, the signature certificate application message at least comprises identity identification information and a public key of the account, the identity identification information is used for identifying the account, and the public key is generated by the terminal where the account is located; the generating module is used for generating a digital certificate corresponding to the terminal where the account is located according to the signature certificate application message received by the receiving module, wherein the digital certificate at least comprises a certificate validity period and the public key, and the digital certificate is stored; the generation module is further configured to generate the account authentication certificate according to the digital certificate if the account applies for a signature certificate for the first time; if the account does not apply for the signature certificate for the first time, updating the stored account identity authentication certificate according to the public key of the digital certificate generated for the last time, wherein the account identity authentication certificate comprises all the public keys of the account, and re-signing the identity authentication certificate.
In some embodiments, the generating module generates the account authentication certificate according to the digital certificate, specifically including: the account authentication certificate is the same as the digital certificate. In some embodiments, the generating module updates the stored account authentication certificate according to the latest generated public key of the digital certificate, specifically including: and extracting the public key of the digital certificate generated last time, and adding the public key to the public key field of the stored account authentication certificate.
In some embodiments, the generation module is further configured to update the certificate validity period of the account authentication certificate.
In some embodiments, the updating the certificate validity period of the account authentication certificate specifically includes: changing the certificate validity period of the account authentication certificate to the certificate validity period of the digital certificate generated last time; or extracting and comparing the validity periods of all the stored digital certificates of the account, confirming that the validity period of the Mth digital certificate is the shortest, and changing the certificate validity period of the account identity authentication certificate into the certificate validity period of the Mth digital certificate; or extracting and comparing the validity periods of all the stored digital certificates of the account, confirming that the validity period of the Mth digital certificate is longest, and changing the certificate validity period of the account identity authentication certificate into the certificate validity period of the Mth digital certificate; wherein M is a positive integer greater than or equal to 1.
In some embodiments, the generating module is further configured to: and regularly judging the certificate validity period of the digital certificate, and if the current date is determined not to be within the certificate validity period range of the digital certificate, updating the account authentication certificate according to the account identity identification information of the digital certificate, so that all public keys of the account authentication certificate on the current date are within the corresponding certificate validity period range of the digital certificate.
In some embodiments, the updating the account authentication certificate according to the account identification information of the digital certificate specifically includes: determining the account identity authentication certificate according to the account identity identification information of the digital certificate; searching a public key which is the same as the digital certificate in the account authentication certificate; and deleting the public key which is the same as the digital certificate in the account authentication certificate.
In a fourth aspect, an embodiment of the present invention provides an identity authentication apparatus, where the apparatus includes: the system comprises a receiving module, an interaction module and a verification module;
the receiving module is configured to receive an identity authentication request message sent by an account terminal, where the identity authentication request message includes identity identification information and signature value information of the account, the identity identification information is used to identify the account, and the signature value information is generated by a private key of the account terminal signing random information generated by the device; the obtaining module is configured to obtain an authentication certificate of the account according to the identity identification information in the identity authentication request message of the account received by the receiving module, and obtain public key information in a public key field of the authentication certificate of the account, where the public key information includes all public keys of the account located at different terminals; the verification module is used for verifying the signature value information one by using public keys in the public key information according to the public key information of the acquisition module, if the verification result of one of the public keys is the same as the random information, the identity authentication is passed, and if all the verification results of the public keys are different from the random information, the authentication is not passed.
In a fifth aspect, an embodiment of the present invention provides an electronic device, where the electronic device at least includes a processor and a memory, and the processor is configured to execute, when executing a computer program stored in the memory, any one of the identity verification certificate generation method in the first aspect and the identity authentication method in the second aspect.
In a sixth aspect, an embodiment of the present invention provides a computer-readable storage medium, which stores a computer program, and the computer program is executed by a processor to perform the method for generating an authentication certificate according to any one of the first aspect and the method for authenticating an identity according to the second aspect.
The beneficial effects of the third aspect to the sixth aspect can be seen from the corresponding beneficial effects of the first aspect and the second aspect, and are not described herein again.
Drawings
In order to more clearly illustrate the technical solution of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on the drawings without creative efforts.
Fig. 1 is a structure of a public key certificate of version x.509v3 provided by the embodiment of the present invention;
fig. 2 is a flowchart of a method for generating an authentication certificate according to an embodiment of the present invention;
fig. 3 is a signaling flowchart of an authentication certificate generating method corresponding to fig. 2 according to an embodiment of the present invention;
fig. 4 is a flowchart of another method for generating an authentication certificate according to an embodiment of the present invention;
fig. 5 is a flowchart of another method for generating an authentication certificate according to an embodiment of the present invention;
fig. 6 is a signaling flowchart of an identity authentication method according to an embodiment of the present invention;
fig. 7 is a schematic diagram of an apparatus for generating an authentication certificate according to an embodiment of the present invention;
fig. 8 is a schematic diagram of an identity authentication apparatus according to an embodiment of the present invention;
fig. 9 is a schematic view of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments that can be derived by one of ordinary skill in the art from the embodiments given herein are intended to be within the scope of the present invention.
The following presents a simplified summary of an application scenario of the present invention.
In the process of information transmission, for safety, the transmitted and received information needs to be encrypted and decrypted, and an asymmetric encryption algorithm is one.
The system is used for encrypting and decrypting by using a pair of matched keys, namely a public key system (PKI), and the system is adopted for digital certificates. Each user sets a specific private key which is only owned by the user, namely a private key for short, and uses the private key for decryption and signature; meanwhile, a public key, namely a public key for short, is set, is disclosed by a user, is shared by a group of users and is used for encrypting and verifying a signature, and the encryption process is an irreversible process through a digital means.
When a secret document is sent, a sender encrypts data by using a public key of a receiver, the receiver decrypts the data by using a private key of the receiver, and the private key is unique only to the receiver and is not owned by other people, so that the encrypted document cannot be decoded even if information is intercepted by other people without the private key, so that the information can safely reach a destination, namely the information can be decrypted only by using the private key and the public key, and the verification of a signature is the reverse process, namely the encryption by using the private key and the decryption by using the public key.
When the signature is verified, the sender encrypts the information sent by the receiver by using the private key of the sender and sends the encrypted information to the receiver, after the receiver receives the information, the public key of the sender decrypts the information to obtain the original text, and if the original text is consistent with the information sent by the receiver, the information can be proved to be sent by the sender.
Because the private key is only owned by the sender, a file which cannot be generated by others is generated in the encryption process, and a digital signature is formed. The digital signature is adopted, so that the following two points can be confirmed, namely, the information is ensured to be sent by the sender through self signature, and the sender cannot deny or is difficult to deny; and secondly, the issued file is a real file because the information is not modified any more after being issued.
The signature verification process requires an authority to authenticate the identity of the sender, since it is verified with the sender's public key. A certificate authority (certificate authority), or CA for short, is a trusted third-party authority trusted by users to generate and distribute digital certificates to users, and one of its responsibilities is the authority to issue digital certificates to users and to confirm the identity of users.
The embodiment of the present invention is described by taking the CA authentication server as an example, and taking the structure of the x.509v3 version public key certificate as an example, where the certificate structure is as shown in fig. 1, and the digital certificate for proving identity sent by the CA server to the user meets the standard.
The fields of the digital certificate include a user principal name field (i.e., an account ID) for identifying the principal identity of the account, and a principal public key field (i.e., a public key field) for identifying the public key itself.
A method for generating an authentication certificate is applied to a Certificate Authority (CA) server, and comprises the following steps:
receiving a signature certificate application message sent by a terminal where an account is located, wherein the signature certificate application message at least comprises identity identification information and a public key of the account, the identity identification information is used for identifying the account, and the public key is generated by the terminal where the account is located;
generating a digital certificate corresponding to the terminal where the account is located according to a signature certificate application message sent by the terminal where the account is located, wherein the digital certificate at least comprises a certificate validity period and a public key, and storing the digital certificate;
if the account applies for the signature certificate for the first time, generating an account identity authentication certificate according to the digital certificate; if the account does not apply for the signature certificate for the first time, the stored account identity authentication certificate is updated according to the public key of the digital certificate generated at the last time, the account identity authentication certificate contains all the public keys of the account, and the identity authentication certificate is re-signed.
The following description is made by way of specific examples, as shown in fig. 2 and 3.
S201/S302: receiving a signature certificate application message sent by a terminal where an account is located;
before applying for a signature certificate to a CA server, a terminal in which an account is located needs to generate a public and private key pair, see step S301 in fig. 3, an algorithm and a tool used for generating the public and private key pair are not limited here, and those skilled in the art can generate the public and private key pair according to the prior art.
After the terminal where the account is located generates a public and private key pair, the private key is reserved by the terminal where the account is located, the public key is used as a part of application information and is sent to the server side, and optionally, a suffix name of a signature certificate application file is defined by csr.
The signature certificate application at least comprises the identity identification information and the public key of the account, wherein the identity identification information is used for identifying the account, and the public key is generated by a terminal where the account is located; usually, the signature certificate application further includes algorithm information for identifying an algorithm used by the public key, so that the server side can encrypt and verify the signature by using the public key by using the corresponding algorithm, and the signature certificate application is sent to the server in a message form.
S202/S303, generating and storing a digital certificate corresponding to the terminal of the account according to the signature certificate application message sent by the terminal of the account;
after receiving a signature certificate application message sent by a terminal where an account is located, a server generates a digital certificate corresponding to the terminal where the account is located; the digital certificate comprises a public key, the public key is carried by a terminal where an account is located when a signature certificate application message is sent, a format field of the digital certificate generated by the server is shown in figure 1, and after the corresponding digital certificate is generated, the server stores the digital certificate.
S203, is the account first applied for?
Whether the account is a first application is determined by the user principal name field (i.e. account ID), which can be referred to as the certificate structure in fig. 1, if the account is a first application, step S204 is executed, and if the account is not a first application, step S205 is executed.
S204/S304: generating an account identity authentication certificate according to the digital certificate;
the method for generating the account authentication certificate according to the digital certificate is not limited, and the account authentication certificate can be generated by copying the digital certificate, or two copies of the digital certificate can be directly generated in the process of generating the digital certificate, wherein one of the two copies of the digital certificate can be used as the account authentication certificate.
S205/S304: and updating the stored account authentication certificate according to the public key of the digital certificate generated at the last time, wherein the account authentication certificate comprises all public keys of the account at different terminals, and re-signing the authentication certificate.
If the account does not apply for the digital certificate for the first time, the account is indicated to have the authentication certificate, only the generated and stored account authentication certificate needs to be updated, the mode of updating the account authentication certificate is not limited, the account authentication certificate only contains all public keys of the account at different terminals, and after the updating is finished, the authentication certificate needs to be re-signed, namely, the server encrypts the current account authentication certificate by using the private key.
According to the technical scheme provided by the embodiment of the invention, when the terminal where the account is located applies for the signature certificate to the server, the server generates the identity authentication certificate besides the corresponding digital certificate, the public key field of the identity authentication certificate contains all public key information of the same account, and when identity authentication is carried out, the server does not need to call multiple digital certificate files of the same account one by one for signature verification, and only needs to call one file of the identity authentication certificate and use the public key field in the identity authentication certificate for signature verification, so that the signature verification speed can be increased, the signature verification time is relatively shortened, and the signature verification efficiency is improved.
Optionally, as an embodiment, the generating an account authentication certificate according to the digital certificate specifically includes: the account authentication certificate is the same as the digital certificate.
The authentication certificate comprises all public keys of the account at different terminals, if the account is a first-time digital certificate application, the server only has a public key applied by one terminal of the account, therefore, for the account applying the digital certificate for the first time, the authentication certificate is the same as the digital certificate, if the account applies the digital certificate for the first time, the authentication certificate which is the same as the generated digital certificate can be obtained by copying and copying the generated digital certificate, and two copies of the digital certificate can also be directly generated in the process of generating the digital certificate, wherein one of the two copies of the digital certificate is used as the account authentication certificate, and the identity of the account authentication certificate is confirmed to be the same as the digital certificate in the process of generating the account authentication certificate.
The embodiment of the invention provides a technical scheme for how to generate the account identity authentication certificate, when an account applies for a digital certificate to a server for the first time, the corresponding account identity authentication certificate is generated, and the generated account identity authentication certificate and the generated account digital certificate are two mutually independent files, which do not interfere with each other in the use process and do not influence the encryption and decryption process of a transmission event.
Optionally, as an embodiment, the updating the stored account authentication certificate according to the public key of the digital certificate generated last time specifically includes:
and extracting the public key of the digital certificate generated last time, and adding the public key to the public key field of the stored account authentication certificate.
If the account does not apply for the digital certificate for the first time, it is indicated that the account has another terminal applied for the digital certificate, and the server has an authentication certificate for the account, and the authentication certificate for the account already contains the public keys applied by all terminals of the account before, so that the public key in the digital certificate applied by the account for the current time is only required to be added to the public key field of the stored authentication certificate for the account.
In the embodiment of the invention, when different terminals where the account is located apply for the certificate to the server, the public key information in the public key field of the account authentication certificate comprises the public keys of all the terminals of the current account by adding the public key of the newly applied terminal to the public key field of the account authentication certificate, so that a new technical scheme is provided for how the public key information in the public key field of the account authentication certificate comprises the public keys of all the terminals of the current account.
Optionally, as an embodiment, after updating the stored account authentication certificate and before re-signing the authentication certificate, the method further includes updating the certificate validity period of the account authentication certificate.
The following description will be made by specific examples.
As shown in fig. 4, compared with the method of fig. 2, the differences of the method are steps S405 to S407, and the remaining steps are the same as those of fig. 2, so only the differences will be described here, and the description of the same steps will not be repeated here.
S405: updating the stored account identity authentication certificate according to the public key of the digital certificate generated last time;
if the account does not apply for the digital certificate for the first time, the account is indicated to have the authentication certificate, and only the generated and stored account authentication certificate needs to be updated, the mode of updating the account authentication certificate is not limited, and the account authentication certificate includes all public keys of the account at different terminals.
S406: updating the certificate validity period of the account authentication certificate;
in view of security, the authentication certificate of the account is provided with a validity period of the certificate, and in the process of signature verification, it is necessary to determine whether the current signature verification time is within the validity period range of the authentication certificate, and if not, it indicates that the authentication certificate is invalid and cannot be verified.
S407: re-signing the authentication certificate;
after the updating of the account authentication certificate is finished, the authentication certificate needs to be re-signed, namely, the server encrypts the account authentication certificate by using a private key.
According to the embodiment of the invention, the certificate validity period of the account identity authentication certificate is limited and updated, so that the identity authentication certificate can be normally used within the validity period range, and the safety of the account identity authentication certificate is improved. In the using process, the validity period of the authentication certificate needs to be verified, the signature verification operation is carried out only if the current time is within the validity period range of the authentication certificate, the signature verification cannot be carried out if the current time is not within the validity period range of the authentication certificate, the security of the account authentication certificate is improved, and the certificate validity period can be updated by any change of the account authentication certificate, so that the certificate validity period is in the latest state.
Optionally, as an embodiment, the updating the certificate validity period of the account authentication certificate specifically includes:
changing the certificate validity period of the account identity authentication certificate into the certificate validity period of the digital certificate generated last time; or extracting the validity periods of all the stored digital certificates of the account, comparing the validity periods, confirming that the validity period of the Mth digital certificate is the shortest, and changing the certificate validity period of the account identity authentication certificate into the certificate validity period of the Mth digital certificate; or extracting the validity periods of all the stored digital certificates of the account, comparing the validity periods, confirming that the validity period of the Mth digital certificate is the longest, and changing the certificate validity period of the account identity authentication certificate into the certificate validity period of the Mth digital certificate; wherein M is a positive integer greater than or equal to 1.
The embodiment of the invention provides various ways for updating the certificate validity period of the account authentication certificate, can change the certificate validity period into the certificate validity period of the digital certificate generated at the last time, and can also compare the validity periods of all the digital certificates of the account to determine the shortest validity period or determine the longest validity period and replace the longest validity period with the corresponding validity period so as to ensure that the certificate validity period of the account authentication certificate is within a reasonable time range.
Optionally, as an embodiment, extracting and comparing validity periods of all stored digital certificates of the account, and determining that the validity period of the mth digital certificate is shortest, the method specifically includes: extracting the certificate start date and the certificate end date in the certificate validity field in all the stored digital certificates of the account; determining the shortest time according to the time length between the starting date and the ending date, or determining the shortest time according to the date of the certificate ending date which is the latest of the current date; and confirming the digital certificate determined as the shortest time as the Mth digital certificate.
Optionally, as an embodiment, extracting and comparing the validity periods of all the stored digital certificates of the account, and determining that the validity period of the mth digital certificate is the longest, the method specifically includes: extracting the certificate start date and the certificate end date in the certificate validity field in all the stored digital certificates of the account; determining the maximum time according to the time length between the start date and the end date, or determining the maximum time according to the date at which the certificate end date is farthest from the current date; and confirming the digital certificate which is determined to be the longest as the Mth digital certificate.
The technical scheme of the invention provides a new technical scheme for determining how to determine that the validity period of the Mth digital certificate is shortest or the validity period of the Mth digital certificate is longest.
Optionally, as an embodiment, the certificate validity period of the digital certificate is periodically determined, and if it is determined that the current date is not within the certificate validity period range of the digital certificate, the account authentication certificate is updated according to the account identification information of the digital certificate, so that all public keys of the account authentication certificate on the current date are within the certificate validity period range of the corresponding digital certificate.
The following description is given by way of specific examples, which can be seen in FIG. 5. Compared with the embodiment of fig. 2, the method of this embodiment has the difference that steps S506 to S507 are added, and the remaining steps are the same as those of fig. 2, so only the difference will be described here, and the description of the same steps will not be repeated here.
S506: and (4) periodically judging whether the current date is within the certificate validity range of the digital certificate, and if not, executing the step (S507).
The validity period of the digital certificate can be judged by setting an interval duration, and optionally, the interval duration can be set to be 24 h; if the current time is not within the certificate validity range of the digital certificate, it indicates that the digital certificate is in a disabled state, i.e., the digital certificate is not usable, then the digital certificate also cannot be used for encryption, decryption, identity authentication, etc., and the public key of the digital certificate also cannot be used for identity verification, so that the validity of the digital certificate needs to be periodically judged.
S507: and updating the account identity authentication certificate according to the account identity identification information of the digital certificate.
If the current date is not in the certificate validity range of the digital certificate, which indicates that the corresponding public key in the digital certificate is unavailable, the account authentication certificate corresponding to the account needs to be searched according to the account identification information of the digital certificate, and the authentication certificate is updated, so that all the public keys of the account authentication certificate of the current date are in the certificate validity range of the corresponding digital certificate, and the account authentication certificate is re-signed.
According to the technical scheme, whether the corresponding public key is available is judged by regularly judging the validity of the digital certificate, if the digital certificate is valid, the authentication certificate corresponding to the account is updated and re-signed, so that the public key in the account authentication certificate is always in the latest state, the problem that the public key of the corresponding account authentication certificate can be used due to the fact that the digital certificate is invalid is solved, and the safety of the authentication certificate is improved.
Optionally, as an embodiment, the updating the account authentication certificate according to the account identification information of the digital certificate specifically includes: determining an account identity authentication certificate according to the account identity identification information of the digital certificate; searching a public key which is the same as the digital certificate in the account identity authentication certificate; and deleting the public key in the account authentication certificate, which is the same as the digital certificate.
The technical scheme of the invention provides a new technical scheme for updating the account authentication certificate according to the account identification information of the digital certificate, determines the account authentication certificate and the public key same as the digital certificate through the account identification information of the digital certificate, and deletes the corresponding public key so as to enable the account authentication certificate to be in the latest state, ensure that all the public keys of the account authentication certificate at the current date are within the certificate validity range of the corresponding digital certificate, and improve the safety of the account authentication certificate.
Optionally, as an embodiment, the present invention further provides an identity authentication method applied to a certificate authority CA server, where the method includes:
receiving a request message sent by an account terminal, wherein the request message is used for applying for identity authentication, generating random information and sending the random information to the account terminal;
receiving an identity authentication request message sent by an account terminal, wherein the identity authentication request message comprises identity identification information and signature value information of an account, the identity identification information is used for identifying the account, and the signature value information is generated by a private key of the account terminal for signing random information;
acquiring an authentication certificate of an account according to the identity identification information of the account, and acquiring public key information in a public key field of the authentication certificate of the account, wherein the public key information comprises all public keys of the account;
verifying the signature value information one by using the public keys in the public key information, and if the verification result of one of the public keys is the same as the random information, passing the identity authentication; if all verification results are different from the random information, the identity authentication is not passed; and sending the authentication result to the account terminal.
The following description is made by way of example, and is specifically shown in FIG. 6.
S601: the terminal where the account is located sends a request message to a server;
and if the identity authentication is required, the terminal where the account is required sends a request to the server side, and the request is sent in a message form and is used for applying for the identity authentication.
S602: the server generates a random number;
when the server receives the request message from the terminal, it generates random information, and the form of the random information is not limited, and is embodied in the form of random number here.
S603: the server sends the random number to the terminal;
the server sends the generated random information, here embodied in the form of a random number, to the terminal to be authenticated.
S604: the terminal signs the random number by using a private key to generate a signature value;
after the terminal receives the random information, the terminal signs the random number by using the private key in the public and private key pair when the terminal applies for the digital certificate from the server end, and generates a signature value.
S605: sending an identity authentication request message carrying a signature value and identity identification information;
after the terminal generates the signature value, the signature value and the identity identification information are sent to the server together, namely the authentication request message contains the identity identification information and the signature value information of the account, the identity identification information is used for identifying the account, and the signature value information is generated by a random number signature generated by a private key of the account terminal on the server.
S606: the server acquires an account authentication certificate according to the received account identity identification information and acquires public key information in a public key field of the account authentication certificate;
after receiving the signature value and the identification information, the server confirms the authentication certificate of the account according to the identification information and extracts the public key information in the public key field of the authentication certificate of the account, and the public key field of the authentication certificate of the account contains all public keys of different terminals of the current account, so that the digital certificates of the different terminals of the account are not required to be called for authentication, and only the authentication certificate of the account is required to be called.
S607: verifying whether the signature value information is the same as the random number by using the public keys in the public key information one by one;
the signature value is unique information generated by a terminal of the account signing the random information sent by the server by using a private key, if the value obtained after the public key of the account is decrypted is the same as the sent random value, the private key of the account and the public key are in a matching relationship, and the identity of the terminal where the account is located can be proved.
Therefore, the public keys in the public key information are used one by one to verify whether the signature value information is the same as the random number, if one of the verification results is the same as the random number, the identity authentication is passed, and the identity of the terminal where the account is located can be confirmed, and if all the verification results are different from the random information, the identity authentication is not passed, and the identity of the terminal where the account is located cannot be confirmed.
S608: and sending an identity authentication result.
And the server side sends an authentication result to the terminal where the account is located according to the verification result.
According to the embodiment of the invention, in the process of verifying the identity, the account identity certificate is used for verifying, and as the account identity certificate contains all public key information of different terminals of the account, the signature verification process can be completed only by calling one file of the account identity certificate, so that a plurality of digital certificate files of the same account do not need to be called one by one for signature verification, the signature verification speed of the server is increased, the signature verification time is relatively shortened, and the signature verification efficiency is improved.
Based on the same inventive concept, an embodiment of the present invention further provides an apparatus for generating an authentication certificate, as shown in fig. 7, where the apparatus includes:
the receiving module 701 is configured to receive a signature certificate application message sent by a terminal where an account is located, where the signature certificate application message at least includes identity information and a public key of the account, where the identity information is used to identify the account, and the public key is generated by the terminal where the account is located;
a generating module 702, configured to generate a digital certificate corresponding to the terminal where the account is located according to the signature certificate application message received by the receiving module, where the digital certificate includes a public key, stores the digital certificate, and sends the digital certificate to the terminal where the account is located;
the generating module 702 is further configured to generate an account authentication certificate according to the digital certificate if the account applies for the signature certificate for the first time; if the account does not apply for the signature certificate for the first time, the stored account identity authentication certificate is updated according to the public key of the digital certificate generated at the last time, so that the account identity authentication certificate comprises all public keys of the account at different terminals, and the identity authentication certificate is re-signed.
The generating module 702 generates an account authentication certificate according to the digital certificate, and specifically includes: the account authentication certificate is the same as the digital certificate.
The generating module 702, which updates the stored account authentication certificate according to the public key of the digital certificate generated last time, specifically includes: and extracting the public key of the digital certificate generated last time, and adding the public key to the public key field of the stored account authentication certificate.
The generating module 702 is further configured to update the certificate validity period of the account authentication certificate.
The updating of the certificate validity period of the account authentication certificate specifically includes: changing the certificate validity period of the account identity authentication certificate into the certificate validity period of the digital certificate generated last time; or extracting the validity periods of all the stored digital certificates of the account, comparing the validity periods, confirming that the validity period of the Mth digital certificate is the shortest, and changing the certificate validity period of the account identity authentication certificate into the certificate validity period of the Mth digital certificate; or extracting the validity periods of all the stored digital certificates of the account, comparing the validity periods, confirming that the validity period of the Mth digital certificate is the longest, and changing the certificate validity period of the account identity authentication certificate into the certificate validity period of the Mth digital certificate; wherein M is a positive integer greater than or equal to 1.
A generating module 702, further configured to: and regularly judging the certificate validity period of the digital certificate, if the current date is determined not to be within the certificate validity period range of the digital certificate, updating the account authentication certificate according to the account identity identification information of the digital certificate, and enabling all public keys of the account authentication certificate on the current date to be within the corresponding certificate validity period range of the digital certificate.
Updating the account authentication certificate according to the account identification information of the digital certificate specifically comprises: determining an account identity authentication certificate according to the account identity identification information of the digital certificate; searching a public key which is the same as the digital certificate in the account identity authentication certificate; and deleting the public key in the account authentication certificate, which is the same as the digital certificate.
Based on the same inventive concept, an embodiment of the present invention further provides an identity authentication apparatus, as shown in fig. 8, the apparatus includes: the system comprises a receiving module, an interaction module and a verification module;
a receiving module 801, configured to receive a request message and an identity authentication request message sent by an account terminal, where the request message is used to apply for identity authentication, the identity authentication request message includes identity identification information and signature value information of an account, the identity identification information is used to identify the account, and the signature value information is generated by a random information signature generated by a private key of the account terminal on a device;
the interaction module 802 is configured to generate random information according to the request message received by the receiving module 801 and send the random information to the account terminal, and is further configured to obtain an account authentication certificate according to the identity identification information in the account authentication request message received by the receiving module, and obtain public key information in a public key field of the account authentication certificate, where the public key information includes all public keys of the account; the account terminal is also used for sending the verification result of the verification module 803 to the account terminal;
the verification module 803 is configured to verify the signature value information one by one using the public keys in the public key information according to the public key information of the interaction module 802, where if one of the public key verification results is the same as the random information, the identity authentication is passed, and if all the public key verification results are different from the random information, the authentication is not passed, and the verification result is transmitted to the interaction module 802.
Based on the same inventive concept, an embodiment of the present invention further provides an electronic device, as shown in fig. 9, where the electronic device at least includes a processor 901 and a memory 902, and the processor is configured to execute any one of the method for generating an authentication certificate in the foregoing embodiment and the method for authenticating an identity in the foregoing embodiment when executing a computer program stored in the memory.
Based on the same inventive concept, an embodiment of the present invention further provides a computer-readable storage medium, which stores a computer program, and the computer program is executed by a processor to perform any one of the identity verification certificate generation method and the identity authentication method in the above embodiments.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims (10)

1. An identity authentication certificate generation method is applied to a Certificate Authority (CA) server, and comprises the following steps:
receiving a signature certificate application message sent by a terminal where an account is located, wherein the signature certificate application message at least comprises identity identification information and a public key of the account, the identity identification information is used for identifying the account, and the public key is generated by the terminal where the account is located;
generating a digital certificate corresponding to the terminal where the account is located according to a signature certificate application message sent by the terminal where the account is located, wherein the digital certificate at least comprises a certificate validity period and the public key, and storing the digital certificate;
if the account applies for a signature certificate for the first time, generating the account identity authentication certificate according to the digital certificate; if the account does not apply for the signature certificate for the first time, updating the stored account identity authentication certificate according to the public key of the digital certificate generated for the last time, wherein the account identity authentication certificate comprises all the public keys of the account, and re-signing the identity authentication certificate.
2. The method according to claim 1, wherein the generating the account authentication certificate according to the digital certificate specifically includes:
the account authentication certificate is the same as the digital certificate.
3. The method according to claim 1, wherein the updating the stored account authentication certificate according to the latest generated public key of the digital certificate specifically comprises:
and extracting the public key of the digital certificate generated last time, and adding the public key to the public key field of the stored account authentication certificate.
4. The method according to claim 1, further comprising, after updating the stored account authentication certificate and before re-signing the authentication certificate, updating the certificate validity period of the account authentication certificate, specifically comprising:
changing the certificate validity period of the account authentication certificate to the certificate validity period of the digital certificate generated last time;
or extracting and comparing the validity periods of all the stored digital certificates of the account, confirming that the validity period of the Mth digital certificate is the shortest, and changing the certificate validity period of the account identity authentication certificate into the certificate validity period of the Mth digital certificate;
or extracting and comparing the validity periods of all the stored digital certificates of the account, confirming that the validity period of the Mth digital certificate is longest, and changing the certificate validity period of the account identity authentication certificate into the certificate validity period of the Mth digital certificate;
wherein M is a positive integer greater than or equal to 1.
5. The method of claim 1, further comprising: regularly judging the certificate validity period of the digital certificate, and if the current date is determined not to be within the certificate validity period range of the digital certificate, updating the account identity authentication certificate according to the account identity identification information of the digital certificate, specifically comprising:
determining the account identity authentication certificate according to the account identity identification information of the digital certificate;
searching a public key which is the same as the digital certificate in the account authentication certificate;
and deleting the public key which is the same as the digital certificate in the account authentication certificate.
6. An identity authentication method is applied to a Certificate Authority (CA) server, and comprises the following steps:
receiving a request message sent by an account terminal, wherein the request message is used for applying for identity authentication, generating random information and sending the random information to the account terminal;
receiving an identity authentication request message sent by an account terminal, wherein the identity authentication request message comprises identity identification information and signature value information of the account, the identity identification information is used for identifying the account, and the signature value information is generated by a private key of the account terminal for signing the random information;
acquiring an authentication certificate of the account according to the identity identification information of the account, and acquiring public key information in a public key field of the authentication certificate of the account, wherein the public key information comprises all public keys of the account;
verifying the signature value information one by using public keys in the public key information, and if the verification result of one of the public keys is the same as the random information, passing the identity authentication; if all verification results are different from the random information, the identity authentication is not passed; and sending the authentication result to the account terminal.
7. An apparatus for generating an authentication certificate, the apparatus comprising:
the system comprises a receiving module, a sending module and a sending module, wherein the receiving module is used for receiving a signature certificate application message sent by a terminal where an account is located, the signature certificate application message at least comprises identity identification information and a public key of the account, the identity identification information is used for identifying the account, and the public key is generated by the terminal where the account is located;
the generating module is used for generating a digital certificate corresponding to the terminal where the account is located according to the signature certificate application message received by the receiving module, wherein the digital certificate at least comprises a certificate validity period and the public key, and the digital certificate is stored;
the generation module is further configured to generate the account authentication certificate according to the digital certificate if the account applies for a signature certificate for the first time; if the account does not apply for the signature certificate for the first time, updating the stored account identity authentication certificate according to the public key of the digital certificate generated for the last time, wherein the account identity authentication certificate comprises all the public keys of the account, and re-signing the identity authentication certificate.
8. An identity authentication apparatus, the apparatus comprising: the system comprises a receiving module, an interaction module and a verification module;
the receiving module is configured to receive a request message and an identity authentication request message sent by an account terminal, where the request message is used to apply for identity authentication, the identity authentication request message includes identity identification information and signature value information of the account, the identity identification information is used to identify the account, and the signature value information is generated by a private key of the account terminal signing random information generated by the device;
the interactive module is used for generating the random information according to the request message received by the receiving module and sending the random information to the account terminal, and is also used for acquiring the identity authentication certificate of the account according to the identity identification information in the identity authentication request message of the account received by the receiving module and acquiring the public key information in the public key field of the account identity authentication certificate, wherein the public key information comprises all public keys of the account; the account terminal is also used for sending the verification result of the verification module to the account terminal;
the verification module is used for verifying the signature value information one by using public keys in the public key information according to the public key information of the interaction module, if the verification result of one of the public keys is the same as the random information, the identity authentication is passed, if all the public key verification results are different from the random information, the authentication is not passed, and the verification result is transmitted to the interaction module.
9. An electronic device, comprising at least a processor and a memory, wherein the processor is configured to execute the method for generating an authentication certificate as claimed in any one of claims 1 to 5 and the method for authenticating an identity as claimed in claim 6 when executing a computer program stored in the memory.
10. A computer-readable storage medium storing a computer program, wherein the computer program is executed by a processor to perform the method for generating an authentication certificate according to any one of claims 1 to 5 and the method for authenticating an identity according to claim 6.
CN202111528197.2A 2021-12-14 2021-12-14 Identity verification certificate generation method, authentication method, device, equipment and medium Active CN114218548B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111528197.2A CN114218548B (en) 2021-12-14 2021-12-14 Identity verification certificate generation method, authentication method, device, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111528197.2A CN114218548B (en) 2021-12-14 2021-12-14 Identity verification certificate generation method, authentication method, device, equipment and medium

Publications (2)

Publication Number Publication Date
CN114218548A true CN114218548A (en) 2022-03-22
CN114218548B CN114218548B (en) 2022-08-19

Family

ID=80701927

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111528197.2A Active CN114218548B (en) 2021-12-14 2021-12-14 Identity verification certificate generation method, authentication method, device, equipment and medium

Country Status (1)

Country Link
CN (1) CN114218548B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114553444A (en) * 2022-04-27 2022-05-27 北京时代亿信科技股份有限公司 Identity authentication method, identity authentication device and storage medium
CN115426106A (en) * 2022-08-26 2022-12-02 北京海泰方圆科技股份有限公司 Identity authentication method, device, system, electronic equipment and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102970299A (en) * 2012-11-27 2013-03-13 西安电子科技大学 File safe protection system and method thereof
CN106453330A (en) * 2016-10-18 2017-02-22 深圳市金立通信设备有限公司 Identity authentication method and system
CN109150548A (en) * 2015-12-01 2019-01-04 神州融安科技(北京)有限公司 A kind of digital certificate signature, sign test method and system, digital certificate system
CN109981677A (en) * 2019-04-08 2019-07-05 北京深思数盾科技股份有限公司 A kind of credit management method and device
CN110278086A (en) * 2019-06-24 2019-09-24 晋商博创(北京)科技有限公司 Compatibility method, device, terminal, system and storage medium based on CPK and PKI
CN113472720A (en) * 2020-03-31 2021-10-01 山东云海安全认证服务有限公司 Digital certificate key processing method and device, terminal equipment and storage medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102970299A (en) * 2012-11-27 2013-03-13 西安电子科技大学 File safe protection system and method thereof
CN109150548A (en) * 2015-12-01 2019-01-04 神州融安科技(北京)有限公司 A kind of digital certificate signature, sign test method and system, digital certificate system
CN106453330A (en) * 2016-10-18 2017-02-22 深圳市金立通信设备有限公司 Identity authentication method and system
CN109981677A (en) * 2019-04-08 2019-07-05 北京深思数盾科技股份有限公司 A kind of credit management method and device
CN110278086A (en) * 2019-06-24 2019-09-24 晋商博创(北京)科技有限公司 Compatibility method, device, terminal, system and storage medium based on CPK and PKI
CN113472720A (en) * 2020-03-31 2021-10-01 山东云海安全认证服务有限公司 Digital certificate key processing method and device, terminal equipment and storage medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114553444A (en) * 2022-04-27 2022-05-27 北京时代亿信科技股份有限公司 Identity authentication method, identity authentication device and storage medium
CN115426106A (en) * 2022-08-26 2022-12-02 北京海泰方圆科技股份有限公司 Identity authentication method, device, system, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN114218548B (en) 2022-08-19

Similar Documents

Publication Publication Date Title
CN110968743B (en) Data storage and data reading method and device for private data
CN107493273B (en) Identity authentication method, system and computer readable storage medium
CN110519260B (en) Information processing method and information processing device
CN101212293B (en) Identity authentication method and system
CN101145906B (en) Method and system for authenticating legality of receiving terminal in unidirectional network
CN111010410A (en) Mimicry defense system based on certificate identity authentication and certificate signing and issuing method
CN106452764B (en) Method for automatically updating identification private key and password system
CN109495268B (en) Two-dimensional code authentication method and device and computer readable storage medium
EP2954639A1 (en) Method and apparatus for embedding secret information in digital certificates
CN114218548B (en) Identity verification certificate generation method, authentication method, device, equipment and medium
KR20050037244A (en) Device authentication method using certificate and digital content processing device using the method
CN110740038B (en) Blockchain and communication method, gateway, communication system and storage medium thereof
EP2747377A2 (en) Trusted certificate authority to create certificates based on capabilities of processes
CN113382002B (en) Data request method, request response method, data communication system, and storage medium
CN113438205B (en) Block chain data access control method, node and system
CN112887282A (en) Identity authentication method, device and system and electronic equipment
CN114697040A (en) Electronic signature method and system based on symmetric key
CN111934884A (en) Certificate management method and device
CN111654503A (en) Remote control method, device, equipment and storage medium
CN115664655A (en) TEE credibility authentication method, device, equipment and medium
CN109670289B (en) Method and system for identifying legality of background server
CN113609213B (en) Method, system, device and storage medium for synchronizing device keys
CN114697038A (en) Quantum attack resistant electronic signature method and system
CN115242471B (en) Information transmission method, information transmission device, electronic equipment and computer readable storage medium
CN115174114B (en) SSL tunnel establishment method, server side and client side

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant